Key Legislation:

Check Clearing for the 21st Century Act (Check 21)

Passed in 2004, Check 21 enhances check processing system and allows checks to be processed electronically. Check 21 allows banks to issue substitute checks in place of original checks; however, each bank that creates substitute checks also bears certain warranties and liabilities that the original paper check will not also be presented.

Although Check 21 does not set retention requirements for checks or dictate a method for destroying checks, most banks refer to established federal and state record retention schedules when creating there document retention policies.

Economic Espionage Act of 1996 (EEA)

The EEA was enacted in 1996 and was designed to prevent employees and their future employers from taking advantage of confidential information taken while employed elsewhere. The Act defines severe penalties for the theft of trade secrets and offers federal protection to companies who take “reasonable measure” to safeguard their information.

The Fair and Accurate Credit Transaction Act (FACTA)

The FACT Act was passed in 2003 and established uniform national standards in key areas of regulation regarding handling and disposal of consumer information in the possession of all companies and organizations.

The FACTA Disposal Rule

The Rule applies to any person or entity that maintains or otherwise possesses consumer information derived from a consumer report for a business purpose. The Rule requires “disposal practices that are reasonable and appropriate” to prevent unauthorized access to or the use of consumer information.

The Rule describes reasonable practices as establishing and complying with policies to:

Burn, pulverize, or shred papers containing consumer information so that the information cannot be read or reconstructed
Destroy or erase electronic files or media containing consumer information in a manner so that the information cannot be read or reconstructed.
Hire a document destruction contractor to dispose of material containing consumer information.
The FTC “encourages those who dispose of any records containing a consumer’s personal or financial information to take similar protective measures”.

Federal Privacy Act of 1974

The Federal Privacy Act was established in 1974 to ensure that government agencies protect the privacy of individuals and business in regard to information held by them and to hold these agencies liable for any information released without proper authorization.

Gramm-Leach-Bliley Act (GLB)

Enacted in 1999 and billed as the Financial Modernization Act, financial institutions and insurance companies are required to give prior notice to consumers of an intention to share personal information as well as an opportunity to opt out of the sharing of such information.

The law mandates that institutions and companies need to "respect the privacy of its customers and to protect the security and confidentiality of those customers' non-public information." The language suggested in the Safeguard Rule that paper documents containing such personal information should also be protected and safely destroyed.

The Safeguard Rule

This Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions – such as credit reporting agencies – that receive customer information from other financial institutions.

Follow this link for more information.

Health Insurance Portability & Accountability Act (HIPAA)

Since 1996, all hospitals, doctors, pharmacies, health plans, medical billing companies and any other business entity involved in the healthcare industry must comply with HIPPA rules. The rules apply to all protected health information.

The Standard for Privacy of Identifiable Health Information requires that covered entities put in place administrative, technical and physical safeguards to protect the privacy of protected health information. An example given as a safeguard for the proper disposal of paper documents containing protected health information is that the documents be shredded prior to disposal.

Identity Theft Penalty Enhancement Act

Signed into law in 2004, the Identity Theft Penalty Enhancement Act established Aggravated Identity Theft as a new federal crime. The Act provides for punishment to include imprisonment for violations in relation to any felony outlined in the act for anyone who knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person.

Sarbanes Oxley Act (SOX)

Intended to enhance corporate responsibility and financial reporting, SOX was enacted in 2002. Section 404 of the Act establishes new standards for internal control over financial reporting.

USA Patriot Act

Enacted in 2001 in an effort to “deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigator tools and for other purposes,” the Act was renewed in 2006 as the Improvement and Reauthorization Act. More than 15 existing laws were amended by the passing of the Patriot Act which significantly expanded the scope of law enforcement investigations.

Due to expanded law enforcement authority, all companies that do business in the United States may be affected. Section 215 of the Act, requires that companies be able to produce information quickly for law enforcement, emphasizing the need for businesses to have document management programs that ensure proper storage and record retention.

US Safe Harbor Program

Effective October 1998, the US Safe Harbor program requires organizations that participate to take reasonable measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.